package com.automannn.authorize.server;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

/**
 * @author automannn@163.com
 * @time 2019/6/23 22:28
 */
@Configuration
@EnableAuthorizationServer
public class AutomannnAuthorizeServer extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer security) throws Exception {
        /*xxx: 是否允许表单的方式，对客户端进行认证，默认情况下是不允许的*/
        security.allowFormAuthenticationForClients();
        //访问tokenkey的时候需要进行身份认证  默认是denyAll();
        security.tokenKeyAccess("isAuthenticated()");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(jwtTokenStore())
                .accessTokenConverter(jwtAccessTokenConverter());
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        //JdbcClientDetailsService可以动态管理数据库中客户端数据
        //http://localhost:8080/oauth/authorize?client_id=testclientid&redirect_uri=http://localhost:9001/authCodeCallback&response_type=code&scope=read_userinfo
        clients.inMemory()
                .withClient("going1")//clientId：（必须的）用来标识客户的Id。
                .secret("12345678")//secret：（需要值得信任的客户端）客户端安全码，如果有的话。
//                .redirectUris("http://localhost:9001/authCodeCallback")//客户端应用负责获取授权码的endpoint
                .authorizedGrantTypes("authorization_code","refresh_token")// 授权码模式
                .scopes("all","read_userinfo", "read_contacts")//scope：用来限制客户端的访问范围，如果为空（默认）的话，那么客户端拥有全部的访问范围。
                .and()
                    .withClient("going2")//clientId：（必须的）用来标识客户的Id。
                    .secret("12345678")//secret：（需要值得信任的客户端）客户端安全码，如果有的话。
    //                .redirectUris("http://localhost:9001/authCodeCallback")//客户端应用负责获取授权码的endpoint
                    .authorizedGrantTypes("authorization_code","refresh_token")// 授权码模式
                    .scopes("all","read_userinfo", "read_contacts");
    }

    @Bean
    public TokenStore jwtTokenStore(){
        return  new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter(){
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey("chenkaihai");
        return converter;
    }

}
